Known Issues for older version¶
Timeouts for certificates from CAs that use OCSP¶
As of late 2013 a few CAs (e.g. the CERN CA) have started using the Online Certificate Status Protocol (OCSP) in addition to the CRL mechanism to advertise which certificates have been revoked. Some security libraries will then by default contact the OCSP responder of the CA in real time when a certificate from such a CA needs to be validated. If that outgoing traffic happens to be blocked, or if the responder is slow or even unreachable, the operation will eventually time out (see GGUS:105666). Depending on the case at hand, such a timeout need not be a fatal error in itself, but will at least slow down operations and may therefore cause timeouts downstream (e.g. for CREAM or gLExec).
Workaround¶
In EGI and WLCG we do not need OCSP to work at this time, as the CRL
mechanism is still deemed sufficient. Therefore it is reasonable to
disable OCSP for the time being and version 1.4.1 of the
argus-pdp-pep-common
rpm does that by default. That version was
officially released in Argus v1.6.3
as part of EMI-3 Update 27 (2015-06-10).
Performance issue with Argus PEP Server (EMI-2, EMI-3, all versions)¶
After a large number of authorization requests, the PDP responses caching mechanism in the PEP Server becomes unstable and the performance of the service deteriorates. It is recommended to completely disable the PDP responses caching mechanism in the Argus PEP Server.
Additionally, the default memory settings for the Argus PEP Server could be too low for production site. It is recommended to allocate at least 1GB memory.
Workaround¶
Disabling the caching mechanism
Completely disabling the PDP responses caching mechanism in the PEP Server configuration solves the performance issue. To disable the cache:
- edit the
/etc/argus/pepd/pepd.ini
file - add the parameter
maximumCachedResponses = 0
in the[PDP]
section (see example) - restart PEP Server:
/etc/init.d/argus-pepd restart
(or increase the memory settings, then restart)
Example:
[PDP]
pdps = https://chaos.switch.ch:8152/authz
# disabling the cache
maximumCachedResponses = 0
Increasing the default memory
Allocating 1GB of memory for the Argus PEP Server solves the performance issue. To increase the default memory:
- edit the
/etc/sysconfig/argus-pepd
file - set the line
PEPD_JOPTS="-Xmx1024M"
- restart PEP Server:
/etc/init.d/argus-pepd restart
Problem the EMI-3 update and Argus PEP Server v.1.6.1¶
Updating the Argus PEP Server to the last EMI-3 update
(argus-pep-server-1.6.1
) will not always restart the Argus PEP
Server
Workaround¶
After the update (yum update
), restart the Argus PEP Server by hand:
root# /sbin/service argus-pepd restart
Problem with Argus 1.6 (EMI-3) and fetch-crl
¶
The Argus metapackage emi-argus
have no dependency on the
fetch-crl
cron job. Installing and starting the Argus services,
without having fetch-crl
installed, will cause SSL errors when
trying to connect to the services.
Workaround¶
Prior to installing the emi-argus
metapackage, install the the
fetch-crl
package by hand, and run it at least once:
root# yum install fetch-crl
root# fetch-crl -v
If you have already installed and configured Argus, just install the
fetch-crl
package by hand, run it at least once, and restart the
Argus services:
root# yum install fetch-crl
root# fetch-crl -v
root# service argus-pap restart
root# service argus-pdp restart
root# service argus-pepd restart
Problem with Nagios plugins for Argus and TMP directory permission¶
The nagios-plugins-argus
package do not set the correct ownership
for the /var/lib/grid-monitoring/nagios-plugins-argus
temp
directory. The plugins will throw errors (Permission denied
) because
the ownership of the directory is not nagios
.
Workaround¶
To fix the temp directory ownership to nagios
, please do:
root# yum install nagios-plugins-argus
root# chown -R nagios:nagios /var/lib/grid-monitoring/nagios-plugins-argus
Problem with Argus 1.5 (EMI-2) and CREAM¶
Under heavy load the Argus PEP Server (v1.5.1) does not always return a user mapping for a permitted operation, causing CREAM to throw an error and abort the job. This typically occurs for 10% of the jobs submitted by CREAM.
Workaround¶
Disabling the PDP responses caching mechanism in the PEP Server configuration solve this issue. To disable the cache:
- edit
/etc/argus/pepd/pepd.ini
- add the parameter
maximumCachedResponses = 0
in the[PDP]
section (see example below) - restart PEP Server:
/etc/init.d/argus-pepd restart
Example:
[PDP]
pdps = https://chaos.switch.ch:8152/authz
# disabling the cache
maximumCachedResponses = 0
Problem with upgrade from Argus 1.4 (EMI-1) to Argus 1.5 (EMI-2)¶
When upgrading an previous Argus 1.4 (EMI-1) installation on SL5, you need to re-install Argus 1.5 (EMI-2). This is due to an error in the Argus 1.4 post uninstall script.
Workaround¶
Simply reinstalling the components with YUM just after the upgrade solves the issue:
yum upgrade
(argus is upgraded...)
yum reinstall argus-pap argus-pdp argus-pep-server